<p>A policy that grants all permissions may indicate an improper access control, which violates <a
href="https://en.wikipedia.org/wiki/Principle_of_least_privilege">the principle of least privilege</a>. Suppose an identity is granted full
permissions to a resource even though it only requires read permission to work as expected. In this case, an unintentional overwriting of resources
may occur and therefore result in loss of information.</p>
<h2>Ask Yourself Whether</h2>
<p>Identities obtaining all the permissions:</p>
<ul>
  <li> only require a subset of these permissions to perform the intended function. </li>
  <li> have monitored activity showing that only a subset of these permissions is actually used. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It’s recommended to apply the least privilege principle, i.e. by only granting the necessary permissions to identities. A good practice is to start
with the very minimum set of permissions and to refine the policy over time. In order to fix overly permissive policies already deployed in
production, a strategy could be to review the monitored activity in order to reduce the set of permissions to those most used.</p>
<h2>Sensitive Code Example</h2>
<p>A customer-managed policy that grants all permissions by using the wildcard (*) in the <code>Action</code> property:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["*"], // Sensitive
    resources: ["arn:aws:iam:::user/*"],
})
</pre>
<h2>Compliant Solution</h2>
<p>A customer-managed policy that grants only the required permissions:</p>
<pre>
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: ["iam:GetAccountSummary"],
    resources: ["arn:aws:iam:::user/*"],
})
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege">AWS Documentation</a> - Grant least
  privilege </li>
  <li> <a href="https://cloud.google.com/iam/docs/understanding-roles">Google Cloud Documentation</a> - Understanding roles </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/732">CWE-732 - Incorrect Permission Assignment for Critical Resource</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/284">CWE-284 - Improper Access Control</a> </li>
</ul>
